Putting Intelligence in Key Management

Our previous blog posting established that storage encryption technologies, such as full disk encryption (FDE), and their associated key management functions should be separated from each other.

Motivations

There are two main motivations for this separation: the ability to use a single key manager for all platforms, and the ability to select and use whichever storage encryption technologies best meet the requirements regardless of their key management capabilities.

Similarly, because authentication goes hand in hand with key management, authentication for storage encryption technologies should also be separated from the encryption function. This is particularly important for remote architectures, such as public cloud usage, so that a single compromise does not lead to the exposure of both encryption keys and the encrypted material they protect.

Challenges

Within any organization, there are several layers of encryption and authentication that must be managed.

For example, many organizations use FDE technologies to protect individual user endpoint devices, such as laptops. These FDE technologies may be operating system-based or hardware-based; the future for the marketplace is expected to be a shift from software-based to hardware-based solutions.

In addition to the hardware layer and the operating system layer, there are also file and application layers to be considered in terms of local layers. Usually there are remote layers as well, such as cloud-based encryption and authentication.

Access to data, executables and other resources may need to be protected separately at each of these layers through use of encryption and/or authentication technologies. This causes significant problems for most organizations because of the complexity of managing the associated keys and credentials throughout the enterprise for all the layers. It is time consuming not only for individual users, who have to maintain and remember all of these pieces of information (such as passwords), but also for the organizations supporting these users. Imagine how many keys and credentials need to be managed and supported for the user community. Finding ways to improve the efficiency of encryption and authentication management for both users and administrators has become increasingly important.

Single Sign-On

The ultimate goal for enterprise encryption and authentication management is to have a unified key management solution that encompasses all the layers. Such a solution would greatly simplify key management by linking all the encryption keys (and their associated authenticators) for each user together, and centralizing management of all these keys throughout the enterprise. This helps ensure that proper management occurs, such as regular rotation of encryption keys and passwords. And it also improves the user experience by enabling single sign-on.

Single sign-on leverages a single user credential to unlock access to a user’s other credentials, such as for other layers or for different resources within a single layer (e.g., multiple applications). Besides strongly increasing usability, it can also improve security. It can enforce one strong instance of authentication for each user, such as multifactor authentication using smartcards or biometrics, and eliminate all the other instances of authentication. This, in turn, enables an organization to manage user authentication credentials behind the scenes because a user doesn’t need to know the individual passwords for each resource to be accessed. For example, the organization can set long and complex random passwords that the user never has direct access to.

To achieve true single sign-on for enterprise users, the single sign-on has to be based at the lowest layer possible. A lower-layer credential can be used to unlock higher-layer credentials, because those credentials are used after the lower-layer credential.

For example, an operating system password is needed before the passwords for the applications accessed from that operating system.

The reverse is not true: credentials at a higher layer cannot be used to unlock credentials for a lower layer. Therefore, the heart of any enterprise key management solution should be endpoint-based, and ideally below the operating system layer (with pre-boot authentication) so that it can be used for operating system credentials as well.

Application Awareness

It is also important that an enterprise key management product be application aware. Application awareness refers to the key manager having an understanding of the context and control over the environment in which each key is used. Without application awareness, a key manager cannot be used to set policy for each application or verify that each application’s environment is appropriately configured. An application aware key management system deals not only with keys but also users, devices, authentication methods, time and space (i.e., when and where a key may be used), groups, organization units, access privileges, and various policies such as disabling the capability of the endpoint to sleep if software-based FDE is used. This allows an application aware key management system to restrict access to individual applications based on many factors.

An endpoint-based product that works at the lowest layer and is application aware enables true single sign-on for encryption and authentication services for users throughout all the layers. Such a product can be called an intelligent key management solution.

Conclusion

As the use of encryption and authentication services to protect access to an organization’s data, executables, and other resources continues to increase, so does the need for more usable and effective enterprise key management solutions. Organizations are strongly recommended to plan for, acquire, and deploy intelligent key management solutions for their users. Such solutions enable single sign-on for users through all the layers of the enterprise IT resources, from endpoint devices and operating systems to cloud-based applications and files.

What’s more, intelligent key management can increase security by supporting a single instance of strong multi-factor authentication for each user while concealing all other encryption keys and authentication credentials behind the scenes. This allows these keys and credentials to be much more highly secured – for example, making passwords long, complex, and random, as well as changing the passwords regularly – which, in turn, reduces the likelihood of compromise.

In summary, organizations can increase security while improving usability and reducing effort for both users and administrators by deploying intelligent key management solutions to all user endpoints. Because these endpoint solutions are managed centrally, there is a single console for administrators to perform key management duties across many platforms and many forms of encryption. This helps organizations to keep total ownership costs low while improving their security.

Karen Scarfone is the co-author of this blog. She is a former senior computer scientist for the National Institute of Standards and Technology (NIST), and has over 15 years of experience across a wide variety of security domains.

Or

Leave a Comment

comments

Tagged Under:

Thi is the President and CEO of WinMagic, which he founded in 1997, with a vision to create encryption solutions that are secure, sophisticated yet easy-to-use for enterprises. Today this vision has evolved to Intelligent Management for Everything Encryption. When he is not busy running and growing the company, Thi is sport enthusiastic and thus always competitive. His one concession to constant competitiveness is leading a weekly Integral Taichi CK10 class at work, which provides relaxation and harmony to his hard working WinMagicians. Thi writes from a position of constant leadership and innovation; having two past successful ventures, his knowledge and experience will offer interesting insights within the security industry. Thi Nguyen-Huu

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.